Criminal Justice Information Services, better known as CJIS, was established in 1992. The CJIS Division of the FBI is an intelligence center located in West Virginia. Used by almost 18,000 law enforcement agencies across the country, CJIS gives federal, state and local law enforcement access to a massive database of crime reports, fingerprints, and other agency data. This information can be used by compliant law enforcement agencies to protect the public, while also protecting the privacy of individuals. Because of the sensitivity of Interstate Information Index (III) which is considered Criminal History Record Information (CHRI), it is imperative that the data be stored and accessed securely. While, of course, used to fight crime and catch “the bad guys”, CJI data is also used for background checks to help ensure the safety of the public. The data must be treated with the sensitivity that it deserves.
CJIS compliance is not easy to attain, and requires regular audits to maintain. CJIS compliance standards strive to assure data interoperability across a wide range of law enforcement agencies. The standards drive confidentiality, integrity and availability of the CJI data. CJIS Security policy (https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center/view) is extensive and is ever evolving. A few basic requirements for compliance are:
- A limit of 5 unsuccessful login attempts by a user accessing CJIS
- Event logging various login activities, including password changes
- Weekly audit reviews
- Active account management moderation
- Session lock after 30 minutes of inactivity
- Access restriction based on physical location, job assignment, time of day, and network address
CJIS requirements also mandate, multifactor authentication and data encryption. Many small agencies do not have the staff and resources to reach the level that CJIS compliance requires for an on-premise data repository. As a result, many large and small agencies are turning to the cloud in order to meet those requirements. Cloud based CJIS compliancy is relatively new and has advantages to on-premises solutions with regard to resources. Of course, there are advantages to on-premise solutions, if you have the resources and personnel to support it.
Each agency must determine what is the right path and make a strategic decision. Can we afford to not be CJIS compliant? Will we support our data on-premise or in the cloud? With a path as important as CJIS, it must be an informed and strategic decision.